Secweb is a pack of security middlewares for fastApi and starlette servers it includes CSP, HSTS, and many more
Project description
Secweb helps in setting security headers for FastApi and Starlette
Secweb is the pack of middlewares for setting security headers for fastapi and can also be used for any framework created on starlette it has 16 middlewares for setting headers of your website and also for your api(s).
The PermissionsPolicy middleware lies in development branch here
The list of middleware is as follows:
- Content Security Policy (CSP)
- Origin Agent Cluster
- Referrer Policy
- HTTP Strict Transport Security(HSTS)
- HTTP Strict Transport Security(HSTS) for WebSockets
- X-Content-Type-Options
- X-DNS-Prefetch-Control
- X-Download-Options
- X-Frame
- X-Permitted-Cross-Domain-Policies
- X-XSS-Protection
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Clear-Site-Data
- Cache-Control
Requirements
Installation
pip install Secweb
Usage
The package Secweb can be used in two different ways
- To use SecWeb class it includes all the 16 classes together
- To use the 16 middleware classes separately
SecWeb class
from Secweb import SecWeb
SecWeb(app=app) # The app is the ASGIapp required by the starlette to give access to the different methods to the class
The above example uses all the default headers value that are are preset you can change the values by creating the option dict you can also set flags for nonce generation for csp header using the script_nonce=True and style_nonce=True flags also report_only flag is added for csp report only header. For Clear-Site-Data header Routes=[] array is used for applying the header it is empty by default.
from Secweb import SecWeb
SecWeb(app=app, Option={'referrer': {'Referrer-Policy': 'no-referrer'}}, Routes=[], script_nonce=False, style_nonce=False, report_only=False)
The Option uses 16 keys for calling middleware classes to set the user-defined policies or activating\deactivating header(s).
Note: Activating/Deactivating the header can only be done in SecWeb class in Option param, eg:
from Secweb import SecWeb
Secweb(app=app, Option={'referrer': False, 'xframe': False})
The values are as follows:
'csp'for calling ContentSecurityPolicy class to set the user-defined values or activate/deactivate the header
'referrer'for calling ReferrerPolicy class to set the user-defined values or activate/deactivate the header
'xdns'for calling XDNSPrefetchControl class to set the user-defined values or activate/deactivate the header
'xcdp'for calling XPermittedCrossDomainPolicies class to set the user-defined values or activate/deactivate the header
'hsts'for calling HSTS class to set the user-defined values or activate/deactivate the header
'wshsts'for calling WsHSTS class to set the user-defined values for Websockets or activate/deactivate the header
'xframe'for calling XFrame class to set the user-defined values or activate/deactivate the header
'coep'for calling CrossOriginEmbedderPolicy class to set the user-defined values or activate/deactivate the header
'coop'for calling CrossOriginOpenerPolicy class to set the user-defined values or activate/deactivate the header
'corp'for calling CrossOriginResourcePolicy class to set the user-defined values or activate/deactivate the header
'clearSiteData'for calling ClearSiteData class to set the user-defined values or activate/deactivate the header
'cacheControl'for calling CacheControl class to set the user-defined values or activate/deactivate the header
'xcto'for activating/deactivating X-Content-Type-Options header
'xdo'for activating/deactivating X-Download-Options header
'xss'for activating/deactivating x-xss-protection header
'oac'for activating/deactivating Origin-Agent-Cluster header
# Example of the values
SecWeb(app=app, Option={'csp': {'default-src': ["'self'"]}, 'xframe': {'X-Frame-Options': 'SAMEORIGIN'}, 'hsts': {'max-age': 4, 'preload': True}, 'wshsts': {'max-age': 10, 'preload': True},'xcdp': {'X-Permitted-Cross-Domain-Policies': 'all'}, 'xdns': {'X-DNS-Prefetch-Control': 'on'}, 'referrer': {'Referrer-Policy': 'no-referrer'}, 'coep': {'Cross-Origin-Embedder-Policy': 'require-corp'}, 'coop': {'Cross-Origin-Opener-Policy': 'same-origin-allow-popups'}, 'corp': {'Cross-Origin-Resource-Policy': 'same-site'}, 'clearSiteData': {'cache': True, 'storage': True}, 'cacheControl': {'public': True, 's-maxage': 600}, 'xss': False}, Routes=['/login/{id}', '/logout/{id:uuid}/username/{username:string}'])
Middleware Classes
Content Security Policy (CSP)
ContentSecurityPolicy class sets the csp header
The Nonce_Processor module generates nonce for csp header
Nonce Processor
# Some Code
nonce = Nonce_Processor(DEFAULT_ENTROPY=90) # inject the nonce variable into the jinja or html
# Some Code
DEFAULT_ENTROPY is used to set the nonce length.
The nonce processor needs to be called on the route the following example is of FastApi calling the nonce processor on the route
from fastapi import FastAPI
from Secweb.ContentSecurityPolicy import Nonce_Processor
app = FastAPI()
@app.get("/")
async def root():
# some code
nonce = Nonce_Processor(DEFAULT_ENTROPY=90) # inject the nonce variable into the jinja or html
# some more code
ContentSecurityPolicy
This is for the FastApi
from fastapi import FastAPI
from Secweb.ContentSecurityPolicy import Nonce_Processor
app = FastAPI()
app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'base-uri': ["'self'"], 'block-all-mixed-content': []}, script_nonce=False, style_nonce=False, report_only=False)
This is for the Starlette
from starlette.applications import Starlette
from Secweb.ContentSecurityPolicy import Nonce_Processor
app = Starlette()
app.add_middleware(ContentSecurityPolicy, Option={'default-src': ["'self'"], 'base-uri': ["'self'"], 'block-all-mixed-content': []}, script_nonce=False, style_nonce=False, report_only=False)
script_nonce=False This is the nonce flag for inline Js
style_nonce=False This is the nonce flag for inline css
report_only=False This is the report only flag which makes csp report only header
For more detail on CSP header go to this MDN Docs
For more detail on CSP-report-only header go to this MDN Docs
Origin Agent Cluster
OriginAgentCluster class sets the Origin-Agent-Cluster header the class takes no parameters
from fastapi import FastAPI
from Secweb.OriginAgentCluster import OriginAgentCluster
app = FastAPI()
app.add_middleware(OriginAgentCluster)
# OR
from starlette.applications import Starlette
from Secweb.OriginAgentCluster import OriginAgentCluster
app = Starlette()
app.add_middleware(OriginAgentCluster)
For more detail on Origin-Agent-Cluster header go to this WHATWG Site
Referrer Policy
ReferrerPolicy class sets the Referrer-Policy header
from fastapi import FastAPI
from Secweb.ReferrerPolicy import ReferrerPolicy
app = FastAPI()
app.add_middleware(ReferrerPolicy, Option={'Referrer-Policy': 'strict-origin-when-cross-origin'})
# OR
from starlette.applications import Starlette
from Secweb.ReferrerPolicy import ReferrerPolicy
app = Starlette()
app.add_middleware(ReferrerPolicy, Option={'Referrer-Policy': 'strict-origin-when-cross-origin'})
For more detail on Referrer-Policy header go to this MDN Docs
HTTP Strict Transport Security (HSTS)
HSTS class sets the Strict-Transport-Security header
from fastapi import FastAPI
from Secweb.StrictTransportSecurity import HSTS
app = FastAPI()
app.add_middleware(HSTS, Option={'max-age': 4, 'preload': True})
# OR
from starlette.applications import Starlette
from Secweb.StrictTransportSecurity import HSTS
app = Starlette()
app.add_middleware(HSTS, Option={'max-age': 4, 'preload': True})
For more detail on Strict-Transport-Security header go to this MDN Docs
HTTP Strict Transport Security (HSTS) for WebSockets
HSTS class sets the Strict-Transport-Security header for Websockets
from fastapi import FastAPI
from Secweb.WsStrictTransportSecurity import WsHSTS
app = FastAPI()
app.add_middleware(WsHSTS, Option={'max-age': 4, 'preload': True})
# OR
from starlette.applications import Starlette
from Secweb.WsStrictTransportSecurity import WsHSTS
app = Starlette()
app.add_middleware(WsHSTS, Option={'max-age': 4, 'preload': True})
For more detail on Strict-Transport-Security header go to this MDN Docs
X-Content-Type-Options
XContentTypeOptions class sets the X-Content-Type-Options header the class takes no parameters
from fastapi import FastAPI
from Secweb.XContentTypeOptions import XContentTypeOptions
app = FastAPI()
app.add_middleware(XContentTypeOptions)
# OR
from starlette.applications import Starlette
from Secweb.XContentTypeOptions import XContentTypeOptions
app = Starlette()
app.add_middleware(XContentTypeOptions)
For more detail on X-Content-Type-Options header go to this MDN Docs
X-DNS-Prefetch-Control
XDNSPrefetchControl class sets the X-DNS-Prefetch-Control header
from fastapi import FastAPI
from Secweb.XDNSPrefetchControl import XDNSPrefetchControl
app = FastAPI()
app.add_middleware(XDNSPrefetchControl, Option={'X-DNS-Prefetch-Control': 'on'})
# OR
from starlette.applications import Starlette
from Secweb.XDNSPrefetchControl import XDNSPrefetchControl
app = Starlette()
app.add_middleware(XDNSPrefetchControl, Option={'X-DNS-Prefetch-Control': 'off'})
For more detail on X-DNS-Prefetch-Control header go to this MDN Docs
X-Download-Options
XDownloadOptions class sets the X-Download-Options header the class takes no parameter
from fastapi import FastAPI
from Secweb.XDownloadOptions import XDownloadOptions
app = FastAPI()
app.add_middleware(XDownloadOptions)
# OR
from starlette.applications import Starlette
from Secweb.XDownloadOptions import XDownloadOptions
app = Starlette()
app.add_middleware(XDownloadOptions)
X-Frame
XFrame class sets the X-Frame-Options header
from fastapi import FastAPI
from Secweb.XFrameOptions import XFrame
app = FastAPI()
app.add_middleware(XFrame, Option={'X-Frame-Options': 'DENY'})
# OR
from starlette.applications import Starlette
from Secweb.XFrameOptions import XFrame
app = Starlette()
app.add_middleware(XFrame, Option={'X-Frame-Options': 'DENY'})
For more detail on X-Frame-Options header go to this MDN Docs
X-Permitted-Cross-Domain-Policies
XPermittedCrossDomainPolicies class sets the X-Permitted-Cross-Domain-Policies header
from fastapi import FastAPI
from Secweb.XPermittedCrossDomainPolicies import XPermittedCrossDomainPolicies
app = FastAPI()
app.add_middleware(XPermittedCrossDomainPolicies, Option={'X-Permitted-Cross-Domain-Policies': 'none'})
# OR
from starlette.applications import Starlette
from Secweb.XPermittedCrossDomainPolicies import XPermittedCrossDomainPolicies
app = Starlette()
app.add_middleware(XPermittedCrossDomainPolicies, Option={'X-Permitted-Cross-Domain-Policies': 'none'})
For more detail on X-Permitted-Cross-Domain-Policies header go to this OWASP Site
X-XSS-Protection
xXSSProtection class sets the X-XSS-Protection header the class takes no parameter
from fastapi import FastAPI
from Secweb.xXSSProtection import xXSSProtection
app = FastAPI()
app.add_middleware(xXSSProtection)
# OR
from starlette.applications import Starlette
from Secweb.xXSSProtection import xXSSProtection
app = Starlette()
app.add_middleware(xXSSProtection)
For more detail on X-XSS-Protection header go to this MDN Docs
Cross Origin Embedder Policy
CrossOriginEmbedderPolicy class sets the Cross Origin Embedder Policy header
from fastapi import FastAPI
from Secweb.CrossOriginEmbedderPolicy import CrossOriginEmbedderPolicy
app = FastAPI()
app.add_middleware(CrossOriginEmbedderPolicy, Option={'Cross-Origin-Embedder-Policy': 'unsafe-none'})
# OR
from starlette.applications import Starlette
from Secweb.CrossOriginEmbedderPolicy import CrossOriginEmbedderPolicy
app = Starlette()
app.add_middleware(CrossOriginEmbedderPolicy, Option={'Cross-Origin-Embedder-Policy': 'unsafe-none'})
For more detail on Cross Origin Embedder Policy header go to this MDN Docs
Cross Origin Opener Policy
CrossOriginOpenerPolicy class sets the Cross Origin Opener Policy header
from fastapi import FastAPI
from Secweb.CrossOriginOpenerPolicy import CrossOriginOpenerPolicy
app = FastAPI()
app.add_middleware(CrossOriginOpenerPolicy, Option={'Cross-Origin-Opener-Policy': 'unsafe-none'})
# OR
from starlette.applications import Starlette
from Secweb.CrossOriginOpenerPolicy import CrossOriginOpenerPolicy
app = Starlette()
app.add_middleware(CrossOriginOpenerPolicy, Option={'Cross-Origin-Opener-Policy': 'unsafe-none'})
For more detail on Cross Origin Opener Policy header go to this MDN Docs
Cross Origin Resource Policy
CrossOriginResourcePolicy class sets the Cross Origin Resource Policy header. You have to call the CrossOriginResourcePolicy class explicitly by providing the 'corp' key in the Option dictionary.
from fastapi import FastAPI
from Secweb.CrossOriginResourcePolicy import CrossOriginResourcePolicy
app = FastAPI()
app.add_middleware(CrossOriginResourcePolicy, Option={'Cross-Origin-Resource-Policy': 'same-site'})
# OR
from starlette.applications import Starlette
from Secweb.CrossOriginResourcePolicy import CrossOriginResourcePolicy
app = Starlette()
app.add_middleware(CrossOriginResourcePolicy, Option={'Cross-Origin-Resource-Policy': 'same-site'})
For more detail on Cross Origin Resource Policy header go to this MDN Docs
Clear Site Data
ClearSiteData class sets the Clear-Site-Data header. In this class the routes array is compulsory so that the header can only be applied to the specified route as it clears every data on the users browser you can add static, dynamic routes like shown below.
from fastapi import FastAPI
from Secweb.ClearSiteData import ClearSiteData
app = FastAPI()
app.add_middleware(ClearSiteData, Option={'cookies': True}, Routes=['/login', '/logout/{id}'])
# OR
from starlette.applications import Starlette
from Secweb.ClearSiteData import ClearSiteData
app = Starlette()
app.add_middleware(ClearSiteData, Option={'cookies': True}, Routes=['/login', '/logout/{id}'])
For more detail on Clear Site Data Header go to this MDN Docs
Cache Control
CacheControl class sets the Cache-Control header. This is useful for controlling cached data on user`s browser
from fastapi import FastAPI
from Secweb.CacheControl import CacheControl
app = FastAPI()
app.add_middleware(CacheControl, Option={'s-maxage': 600, 'public': True})
# OR
from starlette.applications import Starlette
from Secweb.CacheControl import CacheControl
app = Starlette()
app.add_middleware(CacheControl, Option={'s-maxage': 600, 'public': True})
For more detail on Cache Control Header go to this MDN Docs
Contributing
Pull requests and Issues are welcome. For major changes, please open an issue first to discuss what you would like to change.
License
Secweb Icon
Secweb Icon © 2021 - 2024 by Motagamwala Taha Arif Ali is licensed under Attribution-NonCommercial-NoDerivatives 4.0 International
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file secweb-1.11.0.tar.gz.
File metadata
- Download URL: secweb-1.11.0.tar.gz
- Upload date:
- Size: 25.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 76fd7971209faa576e9a634810c7b29035eaa23abea611ee9c7b78b9337d5f7d |
|
| MD5 | deb3272cb6217fd3f2bc9604e4083cf7 |
|
| BLAKE2b-256 | a90f54bd3b252bb09ab1e24b64b020f21a18f046e79a0cf81d228ab0e0d08f84 |
File details
Details for the file Secweb-1.11.0-py3-none-any.whl.
File metadata
- Download URL: Secweb-1.11.0-py3-none-any.whl
- Upload date:
- Size: 39.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.0 CPython/3.11.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2e398e65f053488e1c2caa79b5dc285f3c7ba5c639da49f2648dc41a04e59781 |
|
| MD5 | 653955b62e5354562d8a924c56f89d4b |
|
| BLAKE2b-256 | 381607e06931901709b67194b93334ad85460b255d972e97270fe31f843b84d0 |
